Amazon Inspector is a security assessment service that allows you to improve the security and compliance of applications running on your EC2 instances. It automatically assesses applications for vulnerabilities against the predefined best practices. Once you perform an assessment, Amazon Inspector gives you a detailed list of security findings along with the prioritized level of severity. After that, you can decide what vulnerabilities are critical and need to be fixed.

Using Amazon Inspector to Scan EC2 Instances

In order to use Amazon Inspector to scan your EC2 instances, you need to perform the following steps:

Open the Amazon Inspector using the AWS console.

If you are accessing it first time, you will see the Getting Started page as shown in the following figure.

On the prerequisites page, you need to specify the following three options:

An IAM Role: You need to create an IAM role that will grant permission to AWS inspector to perform vulnerability test on the defined EC2 instances. AWS inspector can create an IAM role for you if you have not created it already.

Tag Name: Tag name will be used to filter the instance names on which you will perform the vulnerability test.

An AWS Agent: In order to communicate with your EC2 instances, AWS Amazon Inspector requires an agent on your EC2 instances.

Defining an Assessment Target

On the Define an assessment target page, type the target name and specify the key of your instance such Name and value such as instance name. Make sure your instance that you wish to scan has the same tag key assigned.

Selecting Rules Packages

Rules packages specifies what services, modules, and ports etc. going to be scanned. There are various vendor-specific rules packages that you may like to use while scanning your EC2 instances. Visit the following links to know more about the various types of rules packages.

On the Define an assessment template page, you need define a template name.

Select the rules packages and the duration till when you plan to run the test. For example, select the Security Best Practices-1.0 rule package and 1 Hour as duration time.

On the Review page, click the Create button. The target will be created.

On the next page, select the target you have created and then click Run.

Once your assessment test is completed, you will see all the vulnerabilities found by the Amazon Inspector. Amazon inspector will also guide you the recommendations that you can consider to address the mentioned vulnerabilities issues.

That’s all you need to perform the scanning on your AWS cloud hosted instances using the Amazon Inspector. The best thing using the Amazon Inspector is that you don’t need to take any approval from the AWS security team to scan your AWS EC2 instances. Otherwise, in the case of scanning from an external source, first you need to provide source and destination IP addresses, scanning time, and few other information to AWS security team and then they may or may not provide you approval to perform the scanning on your EC2 instances.

If you perform the scanning from an external location (outside from the AWS network) to your EC2 instances (without consulting with AWS security team), AWS security team may treat this traffic as a threat traffic and may shutdown your EC2 instances, even if they are your production server.

In the previous article, we have created and used the Internet Gateways to route traffic to and from the Internet for AWS public subnets. However, Internet gateways are not going to help you to route Internet traffic for the private subnet based instances. Here, we will learn about the AWS NAT Gateways that help you to accomplish this.

NAT gateways are only required when you want to provide the Internet access to your EC2 instances that are located inside the private subnets. There are two options to use with NAT gateways: Your own EC2 instance acting as NAT gateway or AWS NAT Gateway as a service.

Difference between NAT instances and NAT Gateways

There are various differences between NAT instances and NAT gateways. Both have its own pros. and cons. We highly recommend to have a look at the following article and get familiarized with the NAT instances vs NAT gateways.

A NAT instance should be used for the Dev, QA and testing infrastructures where you can stop, start, scale, and manage it as per your own requirements. However, for the enterprise production servers, it is recommended to use NAT gateways. Because NAT gateways are managed by AWS and auto scalable as per the need and do not require any manual interactions. Here, we will focus on the NAT Gateway (platform as a service).

A NAT gateway takes the traffic of all private instances, change their private IP addresses with its public IP address and then forwards it to the Internet gateway. While creating a NAT gateway, keep in mind that you select the public subnet that has route entry for the Internet gateway, else the traffic will not be routed to the Internet.

Please visit the following link to know more about the AWS NAT Gateways.

In the previous article, we have created a VPC and two subnets. We have created one public and one private subnet. However, your public subnet will not be able to route traffic to and from the Internet until you attach an Internet Gateway manually with your custom created VPC. In this article, we will explore how to create and use an Internet Gateway with AWS VPC.

An Internet gateway is an exit point for the internal EC2 instances and the entry point for the outside public users. In AWS Cloud, you can logically consider an Internet Gateway as a Router that distinguishes the public and private network. Each public subnet requires an Internet gateway to provide services to public users and access the services from the Internet.

Please visit the following link to know more about the AWS Internet Gateways.

Typically, when you create a VPC, an Internet Gateway is also created by default. If you wish to add additional or different internet gateway, which typically should not be required, you can do it. For this, you need to perform the following steps:

Select the Internet Gateways option in the left pane.

Click the Create Internet Gateway option and specify the name of Gateway.

Click the Yes, Create button to complete the task.

In the Internet Gateways list, select the created IGW, and then click the Attach to VPC option.

In the Attach to VPC window, select the VPC that you want to attach with this IGW and then click Yes, Attach as shown in the following figure.

That’s all you need to create and attach the Internet Gateways for AWS VPC. An Internet gateway can only be attached to a single VPC. However, a single Internet Gateway can be attached to the multiple subnets (routing tables) inside a single VPC.

VPC is the backbone of the AWS cloud platform. In order to become the AWS expert, you must have the good understanding of the AWS VPC and its components. If you are from the networking background, managing VPC might be very easier for you. However, candidates from the developing background should spend a good amount of time to get familiarized with AWS Cloud.

VPC is a separate, isolated, private network in the AWS cloud. By default, the instances from one VPC to another VPC cannot communicate to each other. For some reason, we may need to have multiple VPCs in the AWS cloud. Here, we will see how to create, manage, and delete VPCs.

For the more details of AWS VPC and its components, please visit the following link.

Creating VPC in AWS Cloud

On the Select a VPN Configuration page, click each of the options and review the description of the features provided by them.

Depending on your requirement, select the appropriate VPC configuration. Here, we will select the VPC with Public Subnet option as shown in the following figure.Note: You can later add more subnets in the VPC and can customize your VPC options.

On the next page, specify the VPC name, subnet range, and Availability Zone etc. Here we are going to specify the following values:

IPv4 CIDR Block: 10.50.0.0/16

VPC Name: My_Test_VPC

Public Subnet CIDR: 10.50.1.0/24

Availability Zone: Select the first availability zone.

Subnet Name: Public_Subnet1

Click the Create VPC button to proceed next. The VPC will be created and available in the VPC list as shown in the following figure.

Creating and Adding Private Subnet in Existing VPC

Since we have selected the VPC with Public Subnet option, so we need to create Private subnets separately. Private subnet does not have direct access from outside network and requires NAT gateway to access the Internet. Typically, back-end and database servers should always belong to the private subnets.

If you are interested, you can visit the following link to know more about the AWS VPC and subnets.

Select the Subnets option in the navigation pane and then click Create Subnet.

On the Create Subnet page, specify the following values:

Name tag: Name of the subnet

VPC: Select the VPC in which you want to create subnet

Availability Zone: Select the zone in which you want to create subnet

IPv4 CIDR block: Specify the subnet IP range

We will go with the following values:

Name tag: Private_Subnet1

VPC: My_Test_VPC

Availability Zone: ap-southeast-2b

IPv4 CIDR block: 10.50.2.0/24

4. Click the Yes Create button to proceed. A new private subnet will be added to your existing VPC.

Deleting AWS VPC

If you no longer required any VPC for any reason, you can delete it anytime. For this, just select the VPC you want to delete, click Actions and then select Delete VPC to delete it as shown in the following figure.

Note: Deleting VPC will also delete its associated components such as Subnets, NAT Gateway, Routing Table, Internet Gateways etc. So we aware about the resources that are going to be deleted.

That’s all you need to create VPC in AWS cloud. Next, we will look how to configure VPC peering between two VPCs.